summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortb <>2022-03-26 16:34:21 +0000
committertb <>2022-03-26 16:34:21 +0000
commit62e5583bb1b862560432775b3c0765db00173fc6 (patch)
treeb479f5e5efe3b6b03f82d771d623f8ae686fc6d0
parent2ce3af26514a8bfe23e0605aa5b31dc0ab865be1 (diff)
downloadopenbsd-62e5583bb1b862560432775b3c0765db00173fc6.tar.gz
openbsd-62e5583bb1b862560432775b3c0765db00173fc6.tar.bz2
openbsd-62e5583bb1b862560432775b3c0765db00173fc6.zip
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is not NUL terminated (except that for legacy reasons it happens to be). Instead of taking the strlen(), use the already known ASN.1 length and use strndup() instead of strdup() to generate NUL terminated strings after some existing code has checked that there are no embedded NULs. In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not optimal and might be switched to using strvis() later. ok beck inoguchi jsing
Diffstat
-rw-r--r--src/lib/libcrypto/x509/x509_alt.c11
-rw-r--r--src/lib/libcrypto/x509/x509_constraints.c26
2 files changed, 25 insertions, 12 deletions
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 845ab1364f..8656df82b3 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_alt.c,v 1.11 2022/03/14 21:15:49 tb Exp $ */ 1/* $OpenBSD: x509_alt.c,v 1.12 2022/03/26 16:34:21 tb Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project. 3 * project.
4 */ 4 */
@@ -673,21 +673,24 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
673 case GEN_DNS: 673 case GEN_DNS:
674 if (!x509_constraints_valid_sandns(bytes, len)) { 674 if (!x509_constraints_valid_sandns(bytes, len)) {
675 X509V3error(X509V3_R_BAD_OBJECT); 675 X509V3error(X509V3_R_BAD_OBJECT);
676 ERR_asprintf_error_data("name=%s value='%s'", name, bytes); 676 ERR_asprintf_error_data("name=%s value='%.*s'", name,
677 (int)len, bytes);
677 goto err; 678 goto err;
678 } 679 }
679 break; 680 break;
680 case GEN_URI: 681 case GEN_URI:
681 if (!x509_constraints_uri_host(bytes, len, NULL)) { 682 if (!x509_constraints_uri_host(bytes, len, NULL)) {
682 X509V3error(X509V3_R_BAD_OBJECT); 683 X509V3error(X509V3_R_BAD_OBJECT);
683 ERR_asprintf_error_data("name=%s value='%s'", name, bytes); 684 ERR_asprintf_error_data("name=%s value='%.*s'", name,
685 (int)len, bytes);
684 goto err; 686 goto err;
685 } 687 }
686 break; 688 break;
687 case GEN_EMAIL: 689 case GEN_EMAIL:
688 if (!x509_constraints_parse_mailbox(bytes, len, NULL)) { 690 if (!x509_constraints_parse_mailbox(bytes, len, NULL)) {
689 X509V3error(X509V3_R_BAD_OBJECT); 691 X509V3error(X509V3_R_BAD_OBJECT);
690 ERR_asprintf_error_data("name=%s value='%s'", name, bytes); 692 ERR_asprintf_error_data("name=%s value='%.*s'", name,
693 (int)len, bytes);
691 goto err; 694 goto err;
692 } 695 }
693 break; 696 break;
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c
index 4f24277918..533bbbf4ca 100644
--- a/src/lib/libcrypto/x509/x509_constraints.c
+++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_constraints.c,v 1.25 2022/03/14 21:29:46 tb Exp $ */ 1/* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -657,35 +657,45 @@ x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes,
657 657
658 if (name->type == GEN_DNS) { 658 if (name->type == GEN_DNS) {
659 ASN1_IA5STRING *aname = name->d.dNSName; 659 ASN1_IA5STRING *aname = name->d.dNSName;
660
660 *bytes = aname->data; 661 *bytes = aname->data;
661 *len = strlen(aname->data); 662 *len = aname->length;
663
662 return name->type; 664 return name->type;
663 } 665 }
664 if (name->type == GEN_EMAIL) { 666 if (name->type == GEN_EMAIL) {
665 ASN1_IA5STRING *aname = name->d.rfc822Name; 667 ASN1_IA5STRING *aname = name->d.rfc822Name;
668
666 *bytes = aname->data; 669 *bytes = aname->data;
667 *len = strlen(aname->data); 670 *len = aname->length;
671
668 return name->type; 672 return name->type;
669 } 673 }
670 if (name->type == GEN_URI) { 674 if (name->type == GEN_URI) {
671 ASN1_IA5STRING *aname = name->d.uniformResourceIdentifier; 675 ASN1_IA5STRING *aname = name->d.uniformResourceIdentifier;
676
672 *bytes = aname->data; 677 *bytes = aname->data;
673 *len = strlen(aname->data); 678 *len = aname->length;
679
674 return name->type; 680 return name->type;
675 } 681 }
676 if (name->type == GEN_DIRNAME) { 682 if (name->type == GEN_DIRNAME) {
677 X509_NAME *dname = name->d.directoryName; 683 X509_NAME *dname = name->d.directoryName;
684
678 if (!dname->modified || i2d_X509_NAME(dname, NULL) >= 0) { 685 if (!dname->modified || i2d_X509_NAME(dname, NULL) >= 0) {
679 *bytes = dname->canon_enc; 686 *bytes = dname->canon_enc;
680 *len = dname->canon_enclen; 687 *len = dname->canon_enclen;
688
681 return name->type; 689 return name->type;
682 } 690 }
683 } 691 }
684 if (name->type == GEN_IPADD) { 692 if (name->type == GEN_IPADD) {
685 *bytes = name->d.ip->data; 693 *bytes = name->d.ip->data;
686 *len = name->d.ip->length; 694 *len = name->d.ip->length;
695
687 return name->type; 696 return name->type;
688 } 697 }
698
689 return 0; 699 return 0;
690} 700}
691 701
@@ -723,7 +733,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names,
723 *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; 733 *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
724 goto err; 734 goto err;
725 } 735 }
726 if ((vname->name = strdup(bytes)) == NULL) { 736 if ((vname->name = strndup(bytes, len)) == NULL) {
727 *error = X509_V_ERR_OUT_OF_MEM; 737 *error = X509_V_ERR_OUT_OF_MEM;
728 goto err; 738 goto err;
729 } 739 }
@@ -931,7 +941,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
931 case GEN_DNS: 941 case GEN_DNS:
932 if (!x509_constraints_valid_domain_constraint(bytes, len)) 942 if (!x509_constraints_valid_domain_constraint(bytes, len))
933 goto err; 943 goto err;
934 if ((name->name = strdup(bytes)) == NULL) { 944 if ((name->name = strndup(bytes, len)) == NULL) {
935 error = X509_V_ERR_OUT_OF_MEM; 945 error = X509_V_ERR_OUT_OF_MEM;
936 goto err; 946 goto err;
937 } 947 }
@@ -953,7 +963,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
953 } 963 }
954 if (!x509_constraints_valid_domain_constraint(bytes, len)) 964 if (!x509_constraints_valid_domain_constraint(bytes, len))
955 goto err; 965 goto err;
956 if ((name->name = strdup(bytes)) == NULL) { 966 if ((name->name = strndup(bytes, len)) == NULL) {
957 error = X509_V_ERR_OUT_OF_MEM; 967 error = X509_V_ERR_OUT_OF_MEM;
958 goto err; 968 goto err;
959 } 969 }
@@ -973,7 +983,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
973 case GEN_URI: 983 case GEN_URI:
974 if (!x509_constraints_valid_domain_constraint(bytes, len)) 984 if (!x509_constraints_valid_domain_constraint(bytes, len))
975 goto err; 985 goto err;
976 if ((name->name = strdup(bytes)) == NULL) { 986 if ((name->name = strndup(bytes, len)) == NULL) {
977 error = X509_V_ERR_OUT_OF_MEM; 987 error = X509_V_ERR_OUT_OF_MEM;
978 goto err; 988 goto err;
979 } 989 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-16 15:06:49 +0000